Workers biggest source of healthcare industry’s data breaches

Healthcare is the only industry where the biggest threats to data security in 2017 came from its own workers, according to a new report from Verizon.

Verizon’s 2018 Data Breach Investigations Report mirrored what was released last month in its report on breaches involving protected health information (PHI) in prior years. Whereas all other industries profiled—including education, financial and retail—saw the majority of their breaches come from external forces, most of healthcare industry’s threats came from inside.

More than half of healthcare data incidents and breaches—56 percent—came from insiders, compared to 28 percent of cyberattacks across all industries. The earlier Verizon report put the share of insider threats at 58 percent when combining incidents from the 2016 and 2017 Verizon data breach reports.

Some 79 percent of the breached data involved medical information, with 37 percent of it being personal data and 4 percent being financial. While some employees are abusing their privileged access to data systems, human error was to blame in 35 percent of breaches.

“As Caesar found out the hard way, often those who do you the most harm can be those closest to you,” the report said. “This somewhat bleak finding is linked closely to the fact that there is a large amount of both errors and employee misuse in this vertical.”

Not all the incidents were part of some malicious behavior by employees. In 13 percent of overall incidents and breaches (and in 47 percent of misuse cases), the report said the motivation was “driven by fun or curiosity—for example, where a celebrity has recently been a patient.”

One of Verizon’s recommendations to address these internal threats was to “institute a smackdown policy.” Access to PHI should be monitored and employees should be told again and again that they can be punished for viewing patient data without a legitimate reason.

Healthcare organizations were among the most common victims of attacks overall, with 750 incidents and 536 breaches recorded by the report for 2017. They were also major targets of what the report called “social attacks,” commonly involving clicking on links in a phishing email.

“Healthcare has a wide attack surface for social tactics due to the very nature of what they do,” the report said. “Relatives and friends calling in to check on patients, third-party providers of equipment and services and so on can provide a social engineering criminal with a great deal of both opportunities and cover.”

Beyond problems with employees, ransomware continued to be “an epidemic” for healthcare organizations, according to the report. While Verizon said it can’t decipher whether the industry is more susceptible than others to ransomware, it emphasized data security professionals need to “take immediate steps to combat this ubiquitous attack type.”